Web lists-archives.com

Re: xfig(1) in Debian 8/Jessie




Xfig 3.2.6a can be downloaded from sourceforge,
https://sourceforge.net/projects/mcj/, and compiled in Debian
8/Jessie, with "./configure --without-xaw3d" (if installed-apparently,
there is an issue between Debian 8/Jessie's xaw3d(3) and
xaw3d1_5e(3).)

This, apparently, fixes the core dump created by dot-dash-dot lines
being in a file, or being drawn by a user.

It is suggested that Debian 8/Jessie's repo be upgraded replacing the
vulnerable version.

    John

John Conover writes:
> 
> Hi Henrique. The problem was created by the Xfig 3.2 patchlevel 5b to
> 5c patchlevel, and has been fixed in 3.2.6, according to the xfig site
> at sourceforge.
> 
> Might be a good idea to fix it in the repositories and updates because
> of application/x-xfig in ~/.mailcap vulnerabilities. (The problem
> doesn't effect Debian 7/Wheezy, or before, just Jessie and perhaps
> Stretch.)
> 
>     Thanks,
> 
>     John
> 
> Henrique de Moraes Holschuh writes:
> > On Sun, 06 Aug 2017, John Conover wrote:
> > > On Debian 8/Jessie, i386, do:
> > > 
> > >     xfig xxx.fig
> > > 
> > > Then, (draw a dash-dot-dash-dot line, anyplace):
> > > 
> > >     POLYLINE drawing
> > >     
> > >     Line Style
> > >         select dash-dot-dash-dot ...
> > >             and then draw a line, anyplace
> > > 
> > > And, it does a SIGSEGV.
> > 
> > Works on amd64/stretch.  Does it work on i386/stretch?
> > 
> > If it does, you could rebuild the stretch package in jessie and use
> > that...
> > 
> > -- 
> >   Henrique Holschuh
> 
> -- 
> 
> John Conover, conover@xxxxxxxxx, http://www.johncon.com/

-- 

John Conover, conover@xxxxxxxxx, http://www.johncon.com/